This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Logging in to Workday using Identity Server

The following topics guide you through configuring Workday and the WSO2 Identity Server (IS) to enable logging into Workday through the WSO2 IS. 

Prerequisites 

  1. A Workday administrator account.

  2. The WSO2 extracted public certificate (wso2carbon.jks).

     See here for instructions on extracting and printing the public certificate

    Extract and Print the public certificate

    1.  Open a terminal window and navigate to the <IS_HOME>/repository/resources/security/ directory.
    2. Run the following keytool command to extract the public certificate from the wso2carbon.jks file, located in the directory mentioned above. The keystore password is wso2carbon.

      keytool -export -alias wso2carbon -file key.crt -keystore wso2carbon.jks

      Warning: In a production environment you must not use the default wso2carbon.jks which comes with the WSO2 Identity Server.

    3. Run the following command to print the extracted public certificate.

      openssl x509 -text -inform DER -in key.crt 

      You will recieve a response similiar to the example below.

      -----BEGIN CERTIFICATE-----
      MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJV
      UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoM
      BFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAy
      MTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwN
      TW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0
      MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzO
      M4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe
      0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXn
      RS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcN
      AQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTm
      xbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogR
      Kv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=
      -----END CERTIFICATE-----

Configuring Workday

  1. Login to the Workday account as an administrator.
  2. Open the Edit Tenant Setup and click Security
  3. Select the Enable SAML Authentication checkbox.
  4. Enter the identity provider name and the issuer as follows.
    • Identity Provider Name: wso2_is
    • Issuer: localhost

    Note: The issuer name must be equal to the issuer value that comes with the SAML Response from the identity provider.

  5. Add the public certificate of the Identity Provider (which you extracted as a prerequisite)  
  6. Click on create and insert Name, Valid To, Valid from, and the certificate in the interface that appears.  

    You can get the certificate's info and validate it here.

  7. Enable the Workday initiated logout as seen below. 
  8. Set the following environments.
  9. Generate a private key pair if you do not already have one. This certificate will be used inside the WSO2 IS to validate the incoming authentication and logout requests from Workday.

    Tip: You can import a certificate to the WSO2 trust store using the following command (pw: wso2carbon).

    keytool -import -alias workday -file workday.crt -keystore client-truststore.jks

    Restart WSO2 Identity Server after the certificate import.

  10. Enter the following details and click OK. Finally, click Done.

    FieldSample Value

    Service Provider ID

    The Service provider ID must start with "http://www.workday.com/".

    http://www.workday.com/test_app
    Enable SP initiated SAML authenticationChecked (enabled)
    IdP SSO Service URLhttps://localhost:9443/samlsso

    Sign SP-initiated Authentication Request

    Enable this to sign the login request

    Checked (enabled)

    Do Not Deflate SP-initiated Authentication Request

    Select this checkbox to disable deflating of requests

    Checked
    Authentication Request Signature MethodSHA1

Configuring WSO2 IS

  1. Start the IS server and log in to the management console.
  2. Navigate to Service Providers>Add under the Main menu and add a new service provider. 
  3. Expand the Inbound Authentication Configuration section, then the SAML2 Web SSO Configuration Section and click Configure.
  4. In the form that appears, fill out the following configuration details required for single sign-on and click Register.

    See the following table for the details. 

    FieldSample ValueDescription
    Issuerhttps://workday.com/test_app
    This is the <saml:Issuer> element that contains the unique identifier of the service provider. This is also the issuer value specified in the SAML Authentication Request issued by the service provider. Ensure that this value is equal to the Service Provider ID set in the Workday configuration.
    Assertion Consumer URLhttps://www.workday.com/your.tenant/login-saml.flex

    This is the URL to which the browser should be redirected to after the authentication is successful. This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this ACS URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honour the ACS URL of the SAML2 request.

    Tip: The ACS URL must be in the following format: https://www.myworkday.com/<Your workday tenant name>/login-saml.flex

    NameID FormatThe default value can be used here.This defines the name identifier formats supported by the identity provider. The service provider and identity provider usually communicate with each other regarding a specific subject. That subject should be identified through a Name-Identifier (NameID) , which should be in some format so that It is easy for the other party to identify it based on the format. Name identifiers are used to provide information regarding a user.
    Certificate Aliaswso2carbon.certSelect the public certificate alias of the service provider (See step 8 of the Workday configuration) from the dropdown. This is used to validate the signature of SAML2 requests and is used to generate encryption. Basically the service provider’s certificate must be selected here. Note that this can also be the Identity Server tenant's public certificate in a scenario where you are doing a tenant specific configuration.
    Enable Response SigningSelected

    Select Enable Response Signing to sign the SAML2 Responses returned after the authentication process.

    Enable Signature Validation in Authentication Requests and Logout RequestsSelected

    This specifies whether the identity provider must validate the signature of the SAML2 authentication request and the SAML2 logout request that are sent by the service provider. 

    Enable Single LogoutSelected

    Select Enable Single Logout so that all sessions are terminated once the user signs out from one server. If single logout is enabled, the identity provider sends logout requests to all service providers. Basically, the identity provider acts according to the single logout profile. If the service provider supports a different URL for logout, you can enter a SLO Response URL and SLO Request URL for logging out. These URLs indicate where the request and response should go to. If you do not specify this URL, the identity provider uses the Assertion Consumer Service (ACS) URL. 

    Tip: The single logout URL must be in the following format: https://www.myworkday.com/<Your workday tenant name>/logout-saml.flex

  5. Click Update to save. 
  6. Access the ACS URL from your browser to login to Workday using the WSO2 IS: https://www.myworkday.com/<Your workday tenant name>/login-saml2.flex. 

To change the Issuer value that comes with SAML response through the Identity server, do the following:

  1. Login to the management console and navigate to Identity Providers>List under the Main menu.
  2. Click on Resident Identity Provider.
  3. Expand the Inbound Authentication Configuration section and then the SAML2 Web SSO Configuration section.
  4. Change the value of the Identity Provider Entity ID to the required Issuer value and click Update.